{"id":18804,"library":"snyk-nuget-plugin","title":"Snyk NuGet Plugin","description":"Snyk CLI plugin for NuGet dependency analysis. Current stable version 4.2.1, released April 2026. Requires Node >=16. Ships TypeScript types. Scans project.json, packages.config, and project.assets.json to identify vulnerabilities. Key differentiator: first-class Snyk integration with dotnet restore, supports case-insensitive resolution and runtime flags. Breaking changes in v3/v4 removed legacy scanner flags. Used internally by snyk CLI; not typically installed directly.","status":"active","version":"4.2.1","language":"javascript","source_language":"en","source_url":"https://github.com/snyk/snyk-nuget-plugin","tags":["javascript","snyk","nuget","typescript"],"install":[{"cmd":"npm install snyk-nuget-plugin","lang":"bash","label":"npm"},{"cmd":"yarn add snyk-nuget-plugin","lang":"bash","label":"yarn"},{"cmd":"pnpm add snyk-nuget-plugin","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"dependency graph construction","package":"@snyk/dep-graph","optional":true},{"reason":"debug logging","package":"debug","optional":true}],"imports":[{"note":"ESM export; named import required.","wrong":"const inspect = require('snyk-nuget-plugin').inspect","symbol":"inspect","correct":"import { inspect } from 'snyk-nuget-plugin'"},{"note":"Named export, not default.","wrong":"import buildDepTreeFromProjectJson from 'snyk-nuget-plugin'","symbol":"buildDepTreeFromProjectJson","correct":"import { buildDepTreeFromProjectJson } from 'snyk-nuget-plugin'"},{"note":"ESM-only since v3; CJS require not supported.","wrong":"const { buildDepTreeFromPackagesConfig } = require('snyk-nuget-plugin')","symbol":"buildDepTreeFromPackagesConfig","correct":"import { buildDepTreeFromPackagesConfig } from 'snyk-nuget-plugin'"},{"note":"For .assets.json files.","wrong":"","symbol":"buildDepTreeFromProjectAssets","correct":"import { buildDepTreeFromProjectAssets } from 'snyk-nuget-plugin'"}],"quickstart":{"code":"import { inspect } from 'snyk-nuget-plugin';\nimport { execSync } from 'child_process';\nimport * as fs from 'fs';\n\nconst targetFile = 'path/to/project.assets.json';\n// Ensure .NET SDK is installed and restore has been run\nconst projectFolder = 'path/to/project';\ntry {\n  execSync('dotnet restore', { cwd: projectFolder, stdio: 'pipe' });\n} catch (e) {\n  console.error('dotnet restore failed:', e.stderr?.toString() || e.message);\n  process.exit(1);\n}\n\ninspect('.', targetFile)\n  .then((result) => {\n    console.log('Scanned successfully:', result.package?.name);\n    console.log('Dependencies:', JSON.stringify(result.dependencyTree, null, 2));\n  })\n  .catch((err) => console.error('Inspect failed:', err));\n","lang":"typescript","description":"Shows how to import the inspect function, run dotnet restore, and scan a NuGet project's assets file for vulnerabilities."},"warnings":[{"fix":"Remove these flags from configuration; they are no longer accepted.","message":"Removed useImprovedDotnetWithoutPublish and useFixForImprovedDotnetFalsePositives flags in v3.0.0","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Upgrade to v4.1.0+ to avoid removal; ensure flags are not used.","message":"Removed useImprovedDotnetWithoutPublish and useFixForImprovedDotnetFalsePositives flags (reinstated in v4.0.0 revert) – v3.1.0 also removed them","severity":"breaking","affected_versions":"3.0.0"},{"fix":"Prefer using the Snyk CLI tool to invoke plugin indirectly.","message":"The entire package is an internal Snyk plugin; direct usage outside Snyk CLI is deprecated and unsupported.","severity":"deprecated","affected_versions":">=3.0.0"},{"fix":"Install .NET SDK and run dotnet restore in the target directory.","message":"Requires dotnet CLI installed and accessible; dotnet restore must succeed before scanning.","severity":"gotcha","affected_versions":">=2.0.0"},{"fix":"Use type assertions or update to latest version.","message":"TypeScript types may be incomplete; some API surfaces lack strict typing for edge cases.","severity":"gotcha","affected_versions":">=2.0.0 <4.2.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Install as dependency: npm install snyk-nuget-plugin","cause":"Package not installed or not in node_modules","error":"Error: Cannot find module 'snyk-nuget-plugin'"},{"fix":"Use import { inspect } from 'snyk-nuget-plugin' instead of import inspect from 'snyk-nuget-plugin'","cause":"Incorrect import: default import used instead of named import","error":"TypeError: inspect is not a function"},{"fix":"Install .NET SDK >=6.0 and ensure internet access for NuGet restore","cause":"dotnet restore command failed, usually due to missing .NET SDK or network issues","error":"dotnet restore failed with exit code 1"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}